Microsoft Security Advisory 2876146

General Information

Executive Summary

Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device. Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Affected Software

What is the scope of the advisory?The purpose of this advisory is to notify customers that Microsoft is aware of a public report that describes a known weakness regarding the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2. This issue affects Windows Phone devices. This issue affects the device operating systems that are listed in the Affected Software section.

Is this a security vulnerability that requires Microsoft to issue a security update?No, this is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol and is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices.

What might an attacker use the issueto do?In most scenarios, an attacker who successfully exploited this issue could gain information disclosure of a victim's domain credentials from the targeted device. An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

How could an attacker exploit the issue?An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials.

What is PEAP-MS-CHAPv2?PEAP-MS-CHAPv2 is a wireless authentication protocol used to authenticate a user to an access point with the intention of ensuring only authorized devices can connect to a wireless network. PEAP-MS-CHAPv2 is commonly used with WPA2 wireless protection protocol.

What is WPA2?Wi-Fi Protected Access II (WPA2), IEEE 802.11i, is a security protocol used to ensure the confidentiality of wireless network communication and is the successor of WPA.

A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that's on your company’s server. Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.

Issuing the certificate:

Corporate IT issues the root certificate that can be used to validate the Wireless access point. The certificate should have an easy to remember name; for instance, "Contoso Corporate Root Certificate". This certificate could have already been provisioned via the IT managed MDM (Mobile Device Management solution).

The certificate can be issued via an email message. The email message should also contain instructions from the IT department on how to turn on Wi-Fi certificate validation. For instance, the email message could contain the following steps.

Configuring a Windows Phone 8 to require a certificateverifying a wireless access point:

After receiving the root certificate from Corporate IT, each Windows Phone 8 user performs the following steps:

Delete the previously configured Wi-Fi connection.

In Settings, Wi-Fi, tap Advanced

Tap and hold over the selected Wi-Fi network, and choose delete

Create a new connection and enable server certificate validation.

In Wi-Fi settings, tap on the enterprise Wi-Fi network access point which will open a Sign-in page

Enter username and password

Toggle "Validate Server Certificate" to On

Tap to choose a certificate

In the list of certificates to select, pick the root certificate issued from Corporate IT (for example, "Contoso Corporate Root Certificate"), and tap Done

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.